VYPR
Get started
← All vendors
Vendor

Universal Tool Calling Protocol

Sign in to watch
Products
2
CVEs
5
Across products
5
Status
Private

Products

2

Recent CVEs

5
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2026-45369Hig0.548.30.00May 14, 2026python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe -Command (Windows), allowing an attacker to inject arbitrary shell commands. This vulnerability is fixed in 1.1.3.
CVE-2026-45370Hig0.507.70.00May 14, 2026python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This vulnerability is fixed in 1.1.3.
CVE-2025-14542Hig0.427.50.00Dec 13, 2025The vulnerability arises when a client fetches a tools’ JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients’ trust, a malicious provider can later change the manual to exploit the client.
CVE-2026-44661Med0.314.70.00May 14, 2026python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates the discovery URL against an HTTPS / loopback allowlist, but call_tool() and call_tool_streaming() reuse the resolved tool_call_template.url directly without revalidating, and the OpenAPI converter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the OpenAPI converter then produces tools whose URL points at internal services on the agent host. All three HTTP-class protocols (utcp_http.http, utcp_http.streamable_http, utcp_http.sse) shared the same gap. This vulnerability is fixed in 1.1.3.
CVE-2026-453660.00May 14, 2026## Summary The `@utcp/http` package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. `registerManual()` validates the discovery URL against an HTTPS / loopback allowlist, but `callTool()` reuses the resolved `toolCallTemplate.url` directly without revalidating, and the `OpenApiConverter` blindly trusts whatever `servers[0].url` an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. `servers: [{ url: "http://127.0.0.1:9090" }]` or `servers: [{ url: "http://169.254.169.254" }]`; the converter then produces tools whose URL points at internal services on the agent host. A separate prefix-bypass also affected the discovery-time check: the previous `startsWith('http://localhost')` guard let URLs like `http://localhost.evil.com` through. ## Sister advisory This is the npm/TypeScript counterpart of [GHSA-39j6-4867-gg4w / CVE-2026-44661](https://github.com/universal-tool-calling-protocol/python-utcp/security/advisories/GHSA-39j6-4867-gg4w) on the Python `utcp-http` package. Same vulnerability, same fix shape, same reporter. ## Versions and patch state - `@utcp/http <= 1.1.1` — vulnerable. Both the loopback-redirect (`http://127.0.0.1`) and the non-loopback internal-IP variants (e.g. `http://169.254.169.254`, `http://10.0.0.5`) succeed. Note: the `streamable_http` and `sse` `callToolStreaming` paths in 1.1.1 are TODO placeholders and don't actually fetch URLs, so the runtime SSRF surface in these protocols is currently confined to discovery — a future implementation must also call `ensureSecureUrl` before issuing the request. - `@utcp/http 1.1.2` — full fix. Runtime revalidation in `callTool` closes the non-loopback variants; the `OpenApiConverter` rejects, at conversion time, any spec fetched from a non-loopback source that declares a loopback `servers[0].url`, closing the loopback-redirect variant. ## Impact A remote attacker who can convince the agent (via the LLM context, prompt injection, or a tool-discovery surface) to register their HTTPS OpenAPI URL can: - Map internal networks behind the agent. - Read AWS/GCP IAM credentials from cloud metadata endpoints (`http://169.254.169.254`, `http://metadata.google.internal`). - Reach unauthenticated internal services exposed on loopback (Elasticsearch, Redis HTTP, internal admin panels, the agent's own HTTP server). - Have responses returned to the LLM, which combined with prompt injection enables exfiltration back to the attacker. ## Patch Commit on `dev`: 21f63e6. New helper `packages/http/src/_security.ts` exposes `isSecureUrl`, `isLoopbackUrl`, `ensureSecureUrl`. Hostname-based validation closes the prefix bypass (`http://localhost.evil.com` → rejected). All three protocols' `registerManual` now call `ensureSecureUrl(url, 'manual discovery')`; `callTool` re-checks the resolved URL with `ensureSecureUrl(url, 'tool invocation')` immediately before the axios request. `OpenApiConverter` rejects remote spec → loopback server. ## Workarounds For users who cannot upgrade immediately: - Refuse to call `registerManual` with any URL controlled by an untrusted party, even over HTTPS. - Restrict outbound network access from the host running the agent so internal addresses (RFC1918, 169.254.0.0/16, loopback) are unreachable. ## Credit Discovered and reported by [@YLChen-007](https://github.com/YLChen-007) against the Python sibling implementation (universal-tool-calling-protocol/python-utcp#83). The TypeScript port shared the same code shape and the same vulnerability.